revengerat | 179d2a85a10ac57bbbed4ea5cb3b48c407d6f2a701c993d0b8b449f43f140aff

Analysis

max time kernel
130s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
Size

220KB
MD5

8b1eff957cbbabe0de8eadb89c03bd33
SHA1

2ec99b5ee61b9c2ef59a140feabcc2e3dd8d10f7
SHA256

179d2a85a10ac57bbbed4ea5cb3b48c407d6f2a701c993d0b8b449f43f140aff
SHA512

ff5289179084d146cd0b99c04942ffe10d8d44daca33244b3b0aecc216e0e3dfa78f9abc52d1c50e357d65afaa35fe7162bbce218587e9dbac855ab5c8d3fc54
SSDEEP

3072:ljshpXXFMFcU+AdU8fhiSQog87VHy3F69PuqnN1f:tsXFtAvcmgqHwF60S

Score

10^/10

revengerat guest discovery stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

dnstext.publicvm.com:112

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2424-21-0x0000000001D50000-0x0000000001D58000-memory.dmp	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Executes dropped EXE 1 IoCs

pid	Process
2504	Client.exe

Loads dropped DLL 1 IoCs

pid	Process
2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
2504	Client.exe
2504	Client.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
Token: SeDebugPrivilege	2504	Client.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1044	2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	28
PID 2424 wrote to memory of 1044	2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	28
PID 2424 wrote to memory of 1044	2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	28
PID 2424 wrote to memory of 1044	2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	28
PID 1044 wrote to memory of 2780	1044	csc.exe	30
PID 1044 wrote to memory of 2780	1044	csc.exe	30
PID 1044 wrote to memory of 2780	1044	csc.exe	30
PID 1044 wrote to memory of 2780	1044	csc.exe	30
PID 2424 wrote to memory of 2504	2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	33
PID 2424 wrote to memory of 2504	2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	33
PID 2424 wrote to memory of 2504	2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	33
PID 2424 wrote to memory of 2504	2424	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	33
PID 2504 wrote to memory of 2804	2504	Client.exe	34
PID 2504 wrote to memory of 2804	2504	Client.exe	34
PID 2504 wrote to memory of 2804	2504	Client.exe	34
PID 2504 wrote to memory of 2804	2504	Client.exe	34
PID 2804 wrote to memory of 2560	2804	csc.exe	36
PID 2804 wrote to memory of 2560	2804	csc.exe	36
PID 2804 wrote to memory of 2560	2804	csc.exe	36
PID 2804 wrote to memory of 2560	2804	csc.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vud2qqg1\vud2qqg1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82F5.tmp" "c:\Users\Admin\AppData\Local\Temp\vud2qqg1\CSC5BAE06D982334539909D7126512F4B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yo0qydhh\yo0qydhh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD78.tmp" "c:\Users\Admin\AppData\Local\Temp\yo0qydhh\CSCF54445C53AD2468ABC69CD489B88E93.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES82F5.tmp

Filesize
1KB

MD5
6c79361beee269b948df06659619748e

SHA1
fc296a7439f7bd1e2dc3b34e69ed897520804e4c

SHA256
f05d71abc708557d57cc5bcd6da98a246b624c0ac9e7f841acf82797ece08049

SHA512
ea47a7bb2c1f3a330ff0c3d2361f4f5c61d0a93ebad43187054fe50f56c36c09ab44443f7f8d84c7bca89e447a6bd0310abde73f1b0ec32f1641e56a898df897

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD78.tmp

Filesize
1KB

MD5
63adceaefef2190cef68994010cc5f5a

SHA1
197a00b9978af1dfc49821afcb700f220c2ba180

SHA256
6ac7de0b025d3a9c36f85a28b9f5eb14ddface161efb9eed55db7951afa6f59c

SHA512
0ab5f8791c9c164ef42ed82d0efaa87b9e50c30f9e464099da393da4f2c0305e0430a370f24da12f6f0f71dda6ebcc440ee0e84ba30cabcd1afb8e24cd3cbf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vud2qqg1\vud2qqg1.dll

Filesize
7KB

MD5
fa4c8929e0ea4de58735cd66b3bd2241

SHA1
38aa83ba17876f973771f34452109f219c7614fa

SHA256
69ee3003cf758fbe5409837e5ca910aa6755ae2cb37a9925b4606d36a2f4cc91

SHA512
b9474eface066b7a6312282d91a32e4efeb6ceb449b0b13dae7e77d6c7a9799b9ec32b01532bf957070fb0c2f40d989037c68ccd49894e2441c884f9f9c05552

Download Submit
C:\Users\Admin\AppData\Local\Temp\vud2qqg1\vud2qqg1.pdb

Filesize
23KB

MD5
b72c1af173319f8b2471bec3567423d0

SHA1
8dc8adeb512d7489e98005af26ae77ce12fcf8ab

SHA256
65b12bc92e3490b2f29c951170f897df73c1eea2e7f06181c9c4849622bc9498

SHA512
6a8b81288ea55236e53bdbd06815ce4e5fe367b0c8311945054b66ee86be07b4ab56696a0cd2aa07104abd2139fde00a9fdd779ebf7f3aeefb12ade013cc0159

Download Submit
C:\Users\Admin\AppData\Local\Temp\yo0qydhh\yo0qydhh.dll

Filesize
7KB

MD5
e8322c582f0585cfdd9fcb9ccf5f67ca

SHA1
d079e9079af4553bb9b0ace0fc9b7d06abb0803b

SHA256
303bcab9f25a15af75fe180e284a11aa9814a036e1ae2acb95ca7b6c40b22830

SHA512
0af13bbc4600c42468ea03045bb88765e357e32068e52bb1b7df3bb2dfb5468232ce872386dd574ffbcb540598fb58602eeeb93b377adf95978f534b65f42076

Download Submit
C:\Users\Admin\AppData\Local\Temp\yo0qydhh\yo0qydhh.pdb

Filesize
23KB

MD5
39350d1b7237b985ae79b03398d4811a

SHA1
19ec5336bfe37d76d6fd2652d8420025acebedb2

SHA256
64c3f2d956b9cf1d2565bf1c87db26fb06fba8e2bf2f4eb52338dd36fa50b27b

SHA512
f0e3871dcedfcadad690617c6c99422693eeca8eb5b36999c1a6ed72d2d04e2f919d81ac90cf2e462d77edc6fc41eddcb2f597bae07c10f6b3c57d1b66f9cff9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vud2qqg1\CSC5BAE06D982334539909D7126512F4B.TMP

Filesize
1KB

MD5
f54c45b1f1fcc6054acfacc348210820

SHA1
b8565e32e367c2b517885f36812452a76087ce43

SHA256
e6b311f892c1f764760ab5e742d0ae29eb627cdca423222c7d22841840b96072

SHA512
0efda4455fc9f88f81b3689061b3ade7a2b0580c5182a8554904047f3340e69f555516b276b17138a1fa6ccd5c0ef1f810f4e57ebed9c6b182328a2e7b07fc8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vud2qqg1\vud2qqg1.0.cs

Filesize
5KB

MD5
4949667438d5392543cfdd46006a2f06

SHA1
7ad3f3b16fce93fd4e56f24f13610e9761a48eb0

SHA256
03626e616391cac1bf69f60da6dd99ec1ee697a58e428ab69d27a22afad62ea3

SHA512
0967e449f9f2c4015d8da02b7b6aadfe7f6af9ea2140c4c3f6f3efaa7d5cfb449bce819e41093727a90743c1a8d7d6b3c67f30ecc3aa9a28fb02d3dd34c08c68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vud2qqg1\vud2qqg1.cmdline

Filesize
312B

MD5
63487b619e12eff19ef3756a02751f4f

SHA1
e2164c55163d60b51b908f52af8828851c957a74

SHA256
0576bf1c3d1d2599ca51bcac0779dcb0f866e5888bf30f7007bf1579303ccabe

SHA512
818c1ce7ad6c196f888b5d89eb8893a2d29f5e377a7f4b47230a3caab04789967404461de7c9468811e133997ece8272ebd0bad4dad1a285dd776a0a89ca6099

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yo0qydhh\CSCF54445C53AD2468ABC69CD489B88E93.TMP

Filesize
1KB

MD5
22a03ae654a8377470a54f83fd188872

SHA1
bb7509135d3d8d356522ba10db4e5ef191df3888

SHA256
c3f06ba9a8c58c5ff7230a703c9a99a9a5587915b2c70cd1a6b66f0146fda77a

SHA512
07145ae2cddc3678974c3bca2899b71a1000aa28824b16c0b758556d5dc2767359ed5c720c449b5ab2f2675f65283934db45aea33501cf2fb538a600032d02ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yo0qydhh\yo0qydhh.cmdline

Filesize
312B

MD5
1caa4e385f067c2ccfde207fc736eb74

SHA1
36f198dd2a1ac85cef9e9d9b5d5dd50bf7a328f5

SHA256
71c9a1c1206f38d5efa01d3ca3064b8f6497f40e8791382b86468b130a2df014

SHA512
931027ce38579567b897a63e115ef680bba2c5ae360440f00ee1aa28b791b5dbc3b60936d3528eb7211b5d46eed5f1644c3a82590b3597bed849263d6d8786cd

Download Submit
\Users\Admin\AppData\Roaming\Client.exe

Filesize
220KB

MD5
8b1eff957cbbabe0de8eadb89c03bd33

SHA1
2ec99b5ee61b9c2ef59a140feabcc2e3dd8d10f7

SHA256
179d2a85a10ac57bbbed4ea5cb3b48c407d6f2a701c993d0b8b449f43f140aff

SHA512
ff5289179084d146cd0b99c04942ffe10d8d44daca33244b3b0aecc216e0e3dfa78f9abc52d1c50e357d65afaa35fe7162bbce218587e9dbac855ab5c8d3fc54

Download Submit
memory/2424-19-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/2424-22-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-21-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/2424-34-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-20-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2424-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/2424-17-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2424-6-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-1-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2504-30-0x0000000000C50000-0x0000000000C8E000-memory.dmp

Filesize
248KB

Download
memory/2504-46-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download